Curious if your line breaks are correct ? Your block and pass rule appear to be on the same line.
This should do it . . . block in all block return in quick from !$internal_ip to $external_ip pass out all keep state But if you already have a block all rul there is no need for the second as your already blocking all traffic so I might suggest this not mowing your topology. I also would not suggest "return" for non internal traffic except for specific targeted services that it might affect. . . . :BEGIN spoof on lo0 spoof on $ext_if block all pass out quick from $me pass in quick from $int to $me :END And that should accomplish what you are trying to do IIUC. You can use pftop to verify packets on hit rules. > On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vas...@gmail.com> wrote: > > Hi all, > > I have a 9.1-STABLE r251615 acting as a firewall. > > The rules: > block in all pass out all keep state [...] block return from !$internal_ip > to $external_ip > > > > What I want is to block all the network except $internal to from accessing > $external_ip. For some reason, the above rule simply does not work. > However, the below does work and block everyone except $internal_ip: > > block return from $internal_net/24 to $external_ip pass from $internal_ip > to $external_ip > > > Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it > should work like in the first example. > > PS: Yes, I can see the rule with pfctl -sr and it does translate properly. > > -- > Best regards, > Claudiu Vasadi > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
smime.p7s
Description: S/MIME cryptographic signature
